You know how it works. Your end users visit an infected site and inadvertently download the latest type of malware. If your antivirus software is up to snuff, it will prevent the download or, at the very least, locate and isolate the invading file on the user's hard drive. But what if there is no file on the hard drive to detect? What if instead the malware resides only in memory, running under a trusted process that you, the antivirus software and the operating system itself assume cannot be breached?

Download this free guide

72-Page PDF: Windows 10 Frequently Asked Questions

In this comprehensive guide, our experts answer the most frequently asked Windows 10 questions ranging from the OS itself, to migration, to user-adoption, and everything in between.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

That's exactly what happened in Russia earlier this year, when more than 300,000 computers were infected with a unique type of malware -- the fileless bot. After the bot ran unencumbered for several months, Kaspersky Lab announced that it had discovered a rare type of infection being propagated through Russian online information resources. Advertisements supplied to the sites by AdFox, a third-party ad network, contained Java malware that directed browsers to a download server run by cybercriminals.

How the fileless bot works

Step 1: Users visit the infected site. They don't need to take any other action. Without their knowledge, users are redirected to the cybercriminals' server, which we'll call the "master server."

Step 2: The master server injects an encrypted dynamic link library (DLL) file into the Java process (javaw.exe) on users' computers. The Java process runs in the machine's memory. The DLL takes advantage of a well-known vulnerability in Java (more on that in a bit).

Step 3: The malware establishes communication between the user's computer and the master server. Included in the information sent to the master server are technical details about the infected machine. In this sense, the malware runs just like any other bot -- as a software robot that can execute automated tasks over the Internet. However, the AdFox bot is fileless and runs completely in memory.

Step 4: The malware disables User Account Control (UAC), a Windows security component that's supposed to defend users' systems from hackers. The malicious software then seizes the permissions necessary to install a more robust type of malware. In the case of the Russian computers, that downloaded malware was the Lurk Trojan horse, an application whose main function is to steal sensitive data to gain access to online banking services.

However, for those computers without the patch, the cybercriminals could easily load their bot into the trusted Java process. And the antivirus software, for the most part, had no idea it was there. In fact, the bot was essentially invisible.

To pull all this off, the cybercriminals used an AdFox customer account to change banner code that appeared on the Russian websites. Specifically, they added a JavaScript IFrame to the code. An IFrame is inline frame that permits separate HTML files to be loaded into a single document. Within the IFrame, they embedded an encrypted link that redirects users to the Master Server in the .EU domain. The server then slipped the DLL into the computer's memory without creating physical files on the hard drive.

A world of fileless malware trouble

Although attacks that took Russia by storm are relatively rare, similar ones have occurred in the past decade, most notably the Code Red and Slammer worms. Both of these worms took advantage of a vulnerability known as a buffer overflow, which also allows for a type of fileless attack similar to what we saw in Russia.

Given that these types of attacks have now occurred several times, there's no reason to assume that they won't happen again. And not necessarily just in Russia or against only Windows computers. And not necessarily limited to the Lurk Trojan. Other countries and operating systems are just as vulnerable, and other malware can spread just as easily.

The good news is that, because the fileless bot lives in memory, a simple system restart will get rid of the problem (if it's not already too late). As long as your users don't visit the same or other infected sites, they should have no further problems. And, of course, you should also ensure that the Java apps on their computers are up to date and that they have the latest security patches. This will at least protect them from the bot that hit Russia.

In addition, Apple recently announced that when it releases the next Mac OS update, Java will no longer be included with its browsers. Whether this has anything to do with the fileless bot is difficult to say. But Adam Gowdiak, a researcher at Polish firm Security Explorations, has reportedly identified two new security bugs in Java, so Apple is apparently playing it safe.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy